Merge pull request #82 from tstromberg/xz_incident

tstromberg · web-flow · commit 4a78b247f391 · 2024-03-31T17:43:44.000-04:00
Increasingly paranoid rules based on xz analysis
diff --git a/rules/env/LD_DEBUG.yara b/rules/env/LD_DEBUG.yara
@@ -0,0 +1,8 @@
+rule env_LD_DEBUG : suspicious {
+  meta:
+    description = "Checks if dynamic linker debugging is enabled"
+  strings:
+	$val = "LD_DEBUG" fullword
+  condition:
+	all of them
+}
diff --git a/rules/env/LD_PROFILE.yara b/rules/env/LD_PROFILE.yara
@@ -0,0 +1,8 @@
+rule env_LD_PROFILE : suspicious {
+  meta:
+    description = "Checks if dynamic linker profiling is enabled"
+  strings:
+	$val = "LD_PROFILE" fullword
+  condition:
+	all of them
+}
diff --git a/rules/env/TERM.yara b/rules/env/TERM.yara
@@ -1,4 +1,4 @@
-rule TERM : harmless {
+rule TERM {
   meta:
 	description = "Look up or override terminal settings"
   strings:
diff --git a/rules/ref/program/sshd.yara b/rules/ref/program/sshd.yara
@@ -8,6 +8,14 @@ rule sshd : notable {
     $ref
 }
 
+rule sshd_path_value : suspicious {
+  meta:
+	description = "Mentions the SSH daemon by path"
+  strings:
+	$ref = "/usr/bin/sshd" fullword
+  condition:
+    $ref
+}
 
 rule sshd_net : suspicious {
   meta:
diff --git a/rules/shell/byte_offsets.yara b/rules/shell/byte_offsets.yara
@@ -0,0 +1,17 @@
+rule tail_byte_offsets : notable {
+  meta:
+	description = "uses the tail command with exotic offset values"
+  strings:
+	$val = /tail -c \+\d{3,8}/
+  condition:
+    any of them
+}
+
+rule head_byte_offsets : notable {
+  meta:
+	description = "uses the head command with exotic offset values"
+  strings:
+	$val = /head -c \+\d{3,8}/
+  condition:
+    any of them
+}
diff --git a/rules/shell/pipe_sh.yara b/rules/shell/pipe_sh.yara
@@ -0,0 +1,11 @@
+rule pipe_to_shell : notable {
+  meta:
+  	description = "pipes to shell"
+  strings:
+    $val_sh = "| sh"
+    $val_bin_sh = "| /bin/sh"
+    $val_bash = "| bash"
+    $val_bin_bash = "| /bin/bash"
+  condition:
+	any of them
+}
diff --git a/rules/techniques/code_eval.yara b/rules/techniques/code_eval.yara
@@ -8,7 +8,6 @@ rule eval : suspicious {
 		$ref and not $empty
 }
 
-
 rule python_exec : suspicious {
 	meta:
 		description = "evaluate code dynamically using exec()"
@@ -18,3 +17,12 @@ rule python_exec : suspicious {
 	condition:
 		$ref and not $empty
 }
+
+rule shell_eval : suspicious {
+	meta:
+		description = "evaluate code dynamically using eval"	
+	strings:
+		$val = /eval \$\w{0,64}/ fullword
+	condition:
+		$val
+}

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-rule TERM : harmless {`
	`1`	`+rule TERM {`
`2`	`2`	`meta:`
`3`	`3`	`description = "Look up or override terminal settings"`
`4`	`4`	`strings:`